Re: Changing Cloud Controller Database (CC_DB) encryption key after the DB has been created?

Home Messages Hashtags Subgroups

#2621

Re: Changing Cloud Controller Database (CC_DB) encryption key after the DB has been created?

Sandy Cash Jr <lhcash@...> #2621 The key is used in a field encryptor - so if you change the key, you can no longer decrypt encrypted fields in the database (at least, this is my gut instinct about what you're seeing). My guess is that, if you change the encryption key, you need a procedure which includes saving the old key long enough to decrypt the fields, then re-encrypt them using the new key. There are definite transaction boundaries you'd need to observe before throwing away the previous key. My $0.02, -Sandy -- Sandy Cash Certified Senior IT Architect/Senior SW Engineer IBM BlueMix lhcash(a)us.ibm.com (919) 543-0209 "I skate to where the puck is going to be, not to where it has been.” - Wayne Gretzky From: "Daniel van Dorp" <daniel(a)vandorp.biz> To: cf-dev(a)lists.cloudfoundry.org Date: 11/06/2015 10:19 AM Subject: [cf-dev] Changing Cloud Controller Database (CC_DB) encryption key after the DB has been created? This is a follow-up of this Google Groups conversation: https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/AnJm9aGe07Y/eB9qv689b2gJ Basically, for a development installation setup via this: https://github.com/cloudfoundry-community/cf-boshworkspace/blob/master/deployments/cf-aws-large.yml#L39 I want to change the secret over there to a random-generated value instead. When I do this before using the installation (eg. creating spaces and apps), all is well. However, if I do this after using the installation, I get these errors: FAILED Error finding available spaces Server error, status code: 500, error code: 10001, message: An unknown error occurred. Pretty much what was mentioned here: https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/AnJm9aGe07Y/N25ejNpHWyYJ On the conversation that I'm trying to follow-up here ( https://groups.google.com/a/cloudfoundry.org/d/msg/vcap-dev/AnJm9aGe07Y/N25ejNpHWyYJ ), it is stated: "you can't change your DB encryption key in your manifest after the DB has been created!" That would mean, that after using an installation, you can never change your secrets for the CC_DB again? I find that hard to believe personally, since the secret can be changed just fine at a lot, if not all, other places within CF. There should be a workaround/manual fix/procedure for this kind of change to the CC_DB, I think? attachment.html
More All Messages By This Member

View All 2 Messages In Topic

#2621

Join {cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms